After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 783873 - heap-use-after-free nautilus-file.c:2293 in batch_rename_get_info_callback
heap-use-after-free nautilus-file.c:2293 in batch_rename_get_info_callback
Status: RESOLVED FIXED
Product: nautilus
Classification: Core
Component: File and Folder Operations
3.26.x
Other Linux
: Normal critical
: ---
Assigned To: Nautilus Maintainers
Nautilus Maintainers
Depends on:
Blocks:
 
 
Reported: 2017-06-17 00:00 UTC by Mohammed Sadiq
Modified: 2017-06-24 17:26 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
nautilus-file: fix invalid memory access (1.13 KB, patch)
2017-06-17 08:52 UTC, Alexandru Pandelea 		none Details | Review
nautilus-file: fix invalid memory access (1.13 KB, patch)
2017-06-18 10:21 UTC, Alexandru Pandelea 		committed Details | Review

Description Mohammed Sadiq 2017-06-17 00:00:37 UTC 
How to reproduce:

1. Select several files/folders -> Right click -> Rename (which shall open batch rename dialog)
2. Give in some sequence -> Click rename.


==6499==ERROR: AddressSanitizer: heap-use-after-free on address 0x60700035ffd8 at pc 0x55c2685ad929 bp 0x7fffa813a1f0 sp 0x7fffa813a1e8
READ of size 8 at 0x60700035ffd8 thread T0
    #0 0x55c2685ad928 in batch_rename_get_info_callback ../src/nautilus-file.c:2293
    #1 0x7fe65969074e in g_task_return_now /home/sadiq/jhbuild/checkout/glib/gio/gtask.c:1145
    #2 0x7fe659690796 in complete_in_idle_cb /home/sadiq/jhbuild/checkout/glib/gio/gtask.c:1159
    #3 0x7fe65b40fa7a in g_idle_dispatch /home/sadiq/jhbuild/checkout/glib/glib/gmain.c:5586
    #4 0x7fe65b4108aa in g_main_dispatch /home/sadiq/jhbuild/checkout/glib/glib/gmain.c:3234
    #5 0x7fe65b4131dc in g_main_context_dispatch /home/sadiq/jhbuild/checkout/glib/glib/gmain.c:3899
    #6 0x7fe65b413336 in g_main_context_iterate /home/sadiq/jhbuild/checkout/glib/glib/gmain.c:3972
    #7 0x7fe65b4133b8 in g_main_context_iteration /home/sadiq/jhbuild/checkout/glib/glib/gmain.c:4033
    #8 0x7fe6596a976e in g_application_run /home/sadiq/jhbuild/checkout/glib/gio/gapplication.c:2381
    #9 0x55c2684ff5e3 in main ../src/nautilus-main.c:102
    #10 0x7fe656cb82b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #11 0x55c2684f9529 in _start (/media/sadiq/Main/Software/src/gnome/nautilus/build/src/nautilus+0x38a529)

0x60700035ffd8 is located 8 bytes inside of 80-byte region [0x60700035ffd0,0x607000360020)
freed by thread T0 here:
    #0 0x7fe65b9b4a10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
    #1 0x7fe65b418b21 in g_free /home/sadiq/jhbuild/checkout/glib/glib/gmem.c:189
    #2 0x55c2685a50cb in nautilus_file_operation_free ../src/nautilus-file.c:1892
    #3 0x55c2685abdd1 in nautilus_file_operation_complete ../src/nautilus-file.c:1921
    #4 0x55c2685ad90a in batch_rename_get_info_callback ../src/nautilus-file.c:2290
    #5 0x7fe65969074e in g_task_return_now /home/sadiq/jhbuild/checkout/glib/gio/gtask.c:1145
    #6 0x7fe659690796 in complete_in_idle_cb /home/sadiq/jhbuild/checkout/glib/gio/gtask.c:1159
    #7 0x7fe65b40fa7a in g_idle_dispatch /home/sadiq/jhbuild/checkout/glib/glib/gmain.c:5586
    #8 0x7fe65b4108aa in g_main_dispatch /home/sadiq/jhbuild/checkout/glib/glib/gmain.c:3234
    #9 0x7fe65b4131dc in g_main_context_dispatch /home/sadiq/jhbuild/checkout/glib/glib/gmain.c:3899
    #10 0x7fe65b413336 in g_main_context_iterate /home/sadiq/jhbuild/checkout/glib/glib/gmain.c:3972
    #11 0x7fe65b4133b8 in g_main_context_iteration /home/sadiq/jhbuild/checkout/glib/glib/gmain.c:4033
    #12 0x7fe6596a976e in g_application_run /home/sadiq/jhbuild/checkout/glib/gio/gapplication.c:2381
    #13 0x55c2684ff5e3 in main ../src/nautilus-main.c:102
    #14 0x7fe656cb82b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

previously allocated by thread T0 here:
    #0 0x7fe65b9b4ed0 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1ed0)
    #1 0x7fe65b418a5e in g_malloc0 /home/sadiq/jhbuild/checkout/glib/glib/gmem.c:124
    #2 0x55c268592d10 in nautilus_file_operation_new ../src/nautilus-file.c:1836
    #3 0x55c2685ae590 in real_batch_rename ../src/nautilus-file.c:2326
    #4 0x55c2685af275 in nautilus_file_batch_rename ../src/nautilus-file.c:2421
    #5 0x55c2686f29d4 in begin_batch_rename ../src/nautilus-batch-rename-dialog.c:480
    #6 0x55c2686f2c20 in prepare_batch_rename ../src/nautilus-batch-rename-dialog.c:691
    #7 0x55c2686f2f1b in batch_rename_dialog_on_response ../src/nautilus-batch-rename-dialog.c:709
    #8 0x7fe6593b8ea3 in g_cclosure_marshal_VOID__INTv /home/sadiq/jhbuild/checkout/glib/gobject/gmarshal.c:1200
    #9 0x7fe6593b6dc2 in _g_closure_invoke_va /home/sadiq/jhbuild/checkout/glib/gobject/gclosure.c:867
    #10 0x7fe6593d3695 in g_signal_emit_valist /home/sadiq/jhbuild/checkout/glib/gobject/gsignal.c:3300
    #11 0x7fe6593d4406 in g_signal_emit /home/sadiq/jhbuild/checkout/glib/gobject/gsignal.c:3447
    #12 0x7fe65ac19e94 in gtk_dialog_response /home/sadiq/jhbuild/checkout/gtk+-3/gtk/gtkdialog.c:1235

SUMMARY: AddressSanitizer: heap-use-after-free ../src/nautilus-file.c:2293 in batch_rename_get_info_callback
Shadow bytes around the buggy address:
  0x0c0e80063fa0: 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 00 00
  0x0c0e80063fb0: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c0e80063fc0: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0e80063fd0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa 00 00
  0x0c0e80063fe0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
=>0x0c0e80063ff0: 00 00 00 00 00 00 fa fa fa fa fd[fd]fd fd fd fd
  0x0c0e80064000: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0e80064010: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
  0x0c0e80064020: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c0e80064030: fa fa 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0e80064040: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6499==ABORTING
Comment 1 Alexandru Pandelea 2017-06-17 08:52:52 UTC 
Created attachment 353937 [details] [review]
nautilus-file: fix invalid memory access

When the operation is freed on the first if, the operation will
still be accessed on the second if.

To fix this, merge the two if's since they both complete the
operation.
Comment 2 Carlos Soriano 2017-06-17 15:26:24 UTC 
Review of attachment 353937 [details] [review]:

::: src/nautilus-file.c
@@ +2287,3 @@
 
+    if (op->renamed_files + op->skipped_files == g_list_length (op->files) ||
+        op->files == NULL)

Can you put the == NULL first? Otherwise looks good
Comment 3 Alexandru Pandelea 2017-06-18 10:21:18 UTC 
Created attachment 353975 [details] [review]
nautilus-file: fix invalid memory access

When the operation is freed on the first if, the operation will
still be accessed on the second if.

To fix this, merge the two if's since they both complete the
operation.
Comment 4 Ernestas Kulik 2017-06-24 17:26:35 UTC 
Attachment 353975 [details] pushed as 68cfc99 - file: fix invalid memory access